Alberto,
you could drop <security-constraint> and write your own
ContainterRequestFilter for authentication. Here's an example:
https://github.com/jersey/jersey/blob/master/examples/https-clientserver-grizzly/src/main/java/org/glassfish/jersey/examples/httpsclientservergrizzly/SecurityFilter.java
Martynas
graphityhq.com
On Fri, May 9, 2014 at 10:51 AM, Alberto Brosich
<abrosich_at_ogs.trieste.it> wrote:
>
> Hi Dies,
>
> my logic is simple:
>
> if (dataAvailability.compareTo("public") != 0 &&
> httpServletRequest.getUserPrincipal() == null) {
> throw new WebApplicationException(Response.Status.FORBIDDEN);
> }
>
> the problem is that I have authorization information only when
> security-constraint is present in web.xml, but in that case unauthorized
> accesses are not permitted (I need it because some data are "public").
>
> Just a summary:
>
> a) "<security-constraint>" in web xml:
> - client connect without authentication information (username and
> password) and tomcat gives error 401
> - client connect with authentication information (username and password)
> and I can access the private resource
>
> b) NO "<security-constraint>" in web xml:
> No authentication information from httpServletRequest.getUserPrincipal()
> so make no difference if client sends authentication information.
> In both cases client can access "public" data and obtains 403 for
> "private" data.
>
> Should be:
>
> Public Private
> Unauthorized 200 403
> Authorized 200 200
>
>
> (Unauthorized means that client do not send authentication information)
>
> Regards
>
> Alberto
>
>
> On Thu, 2014-05-08 at 22:57 +0000, Koper, Dies wrote:
>> Hi Alberto,
>>
>> >- if I have a "security-constraint" section in web.xml protecting that
>> >resource, unauthorized accesses are not permitted.
>>
>> In which case Tomcat returns a 403, which is what you said you wanted?
>>
>> Regards,
>> Dies Koper
>>
>>
>> -----Original Message-----
>> From: Alberto Brosich [mailto:abrosich_at_ogs.trieste.it]
>> Sent: Friday, May 09, 2014 1:08 AM
>> To: users_at_jersey.java.net
>> Subject: [Jersey] Permit both authorized and unauthorized access
>>
>>
>> Hi,
>>
>> I'm new to this list.
>> I have a simple problem but I cannot find a simple solution.
>>
>> I have a web service written using Jersey 2.8 and deployed on tomcat 7.
>>
>> A resource of that ws has to be accessed by all users (authorized or
>> not). In case of unauthorized access (no given username and password)
>> some resource could not be accessible and ws should return 403 error.
>>
>> The problem is that:
>> - if I have a "security-constraint" section in web.xml protecting that
>> resource, unauthorized accesses are not permitted.
>> - If I remove "security-constraint" and client send authentication
>> information (BASIC), the servlet request does not contain any
>> authentication data (httpServletRequest.getUserPrincipal() is null).
>>
>> I know that is not strictly a Jersey matter but some of you could have
>> already solved this problem.
>>
>> Regards
>>
>> Alberto
>>
>>
>>
>>
>
>